[00:00.000 --> 00:08.200]  Hello everyone, welcome to Lock Bypass Village and welcome to my talk all about alarms and access control systems and how to hack them.
[00:08.280 --> 00:16.160]  This talk is going to be fairly high level, so we'll talk about the full range of hardware that is common to experience in the wild,
[00:16.160 --> 00:20.000]  as well as the general attack methodologies that we can use against them.
[00:20.000 --> 00:26.760]  We won't go too much into the weeds about specific makes and manufacturers and specific attacks that can be used,
[00:26.760 --> 00:32.300]  but that is generally quite inferable from what we'll be talking about today.
[00:32.700 --> 00:40.000]  So, let's start by considering a simple door, purely mechanical, and this is what all of the rest of Lock Bypass Village is about,
[00:40.000 --> 00:43.180]  various ways that we can get through this door if it is locked.
[00:43.300 --> 00:50.200]  So, you might be able to pick the lock, use an under-the-door tool on the handle, you might be able to remove the hinges, etc.
[00:50.700 --> 00:54.820]  What happens if we want to make this an access-controlled door?
[00:55.480 --> 00:59.980]  At the bare minimum, we'll need to add some sort of credential reader,
[00:59.980 --> 01:07.860]  and some sort of electronically-controlled actuator that will lock and unlock the door,
[01:07.860 --> 01:14.420]  and some sort of controller that will determine if the credential is valid, and if so, go ahead and unlock that door.
[01:14.420 --> 01:25.340]  At this point, it's very easy to add a little bit of sensing to sense anomalies, such as brute force entry or bypassing being done,
[01:25.340 --> 01:29.300]  and that can be done quite cheaply by adding a magnetic read switch.
[01:29.300 --> 01:37.240]  So, this bottom unit here is a simple magnet, and in the top, there is a wire that's going to be balanced within a magnetic field,
[01:37.240 --> 01:46.460]  and if the field becomes too strong or too weak, it will break or make an electrical contact, letting the controller know that the magnet has moved.
[01:46.460 --> 01:50.080]  The purpose of this is to detect when the door has opened.
[01:51.000 --> 01:56.640]  So, one problem with doing that is if someone's trying to exit the door.
[01:56.640 --> 02:03.080]  If they're trying to enter, they're going to swipe the credential, the controller will unlock the door, it detects an open, that's okay.
[02:03.080 --> 02:10.580]  If they're trying to exit, it's now going to trip this type of sensor here, which is a request-to-exit sensor, is the general term,
[02:10.580 --> 02:16.260]  and very frequently what we see with these is passive infrared technology being used.
[02:16.260 --> 02:24.360]  So, it will detect the black-body emission spectrum of the human body on the secure side of the door, meaning someone's trying to exit,
[02:24.360 --> 02:32.000]  and if that's the case, if it detects that, and then it detects that the door opens, that is okay, that's a valid exit sequence of events.
[02:32.000 --> 02:41.440]  If, however, it detects that the door has opened, there was no valid credential swiped, and no one was standing on the secure side of the door waiting to exit,
[02:41.440 --> 02:47.660]  that is an alarm condition, and that indicates that the door might have been forced open, might have been bypassed open, etc.
[02:47.660 --> 02:51.260]  But it will send that alarm to the access controller.
[02:51.400 --> 02:55.420]  We're missing one more component that we need if that happens,
[02:55.420 --> 03:02.240]  which is that the access controller needs some way to communicate to the outside world that there's an alarm that needs to be investigated.
[03:02.260 --> 03:06.640]  So there's going to be some line out from the access controller to do that.
[03:06.640 --> 03:09.400]  There's usually going to be a line in as well.
[03:09.400 --> 03:14.520]  So this way we can, say, set what the public building hours are so that the door will be open.
[03:14.520 --> 03:20.320]  This way we can set who is allowed to access it, we can revoke credentials as necessary, etc.
[03:21.000 --> 03:26.700]  So let's look at some of the technologies that are available for these various parts of the system.
[03:26.700 --> 03:34.460]  For the credential reader itself, we have RFID-based, which is the most modern and generally the most secure.
[03:34.860 --> 03:43.360]  We have MagStripe, so cards that are encoded with a number in magnetic polarities along the card.
[03:43.360 --> 03:47.200]  We can use a biometric reader, such as a fingerprint scanner here.
[03:47.300 --> 03:58.520]  A key code entry system, so instead of being something that the user has or something that the user is, it's something the user knows, so the code.
[03:58.720 --> 04:11.080]  And we can also have a camera, where some human on the other end of that line is going to look in the camera, see who it is, and make the go or no-go decision of is this person authorized to enter this facility.
[04:11.640 --> 04:21.080]  In terms of technologies available for the actuator, so this one that is the most common by far is a MagStrike, or magnetic door strike.
[04:21.120 --> 04:32.980]  This plate here is going to be loose and allowed to swing open when the door is supposed to be unlocked, and it will seize up and not move and prevent the door from opening when the door is supposed to be locked.
[04:32.980 --> 04:40.020]  Over here we have a MagLock, so this larger unit will be mounted to the frame, and this smaller one onto the door.
[04:40.020 --> 04:49.080]  These will magnetically couple and hold very, very tightly, with generally 2,000 pounds or more of holding force, when the door is supposed to be locked.
[04:49.080 --> 04:54.100]  And then the system will let them separate when the door is supposed to be unlocked.
[04:54.100 --> 05:05.000]  We might have an electronically controlled set of handle hardware, so just like how the key can be used to lock and unlock the door, we just have an electronic actuator inside that does the same.
[05:05.000 --> 05:15.120]  In higher security applications, we might see a turnstile-based system here, so a very good system to prevent piggybacking in after someone. It only lets one person in at a time.
[05:15.120 --> 05:19.520]  And we might also see various vehicle control systems as well.
[05:20.320 --> 05:25.760]  In terms of the sensor, ultimately the goal of this is to detect is the door open or not.
[05:25.760 --> 05:33.880]  Most commonly we see magnetic-based sensors, so these two are mounted on the frame of the door, on the inside or outside of the frame.
[05:34.000 --> 05:42.100]  They should be mounted on the secure side. If they're mounted on the insecure side, that then opens up a whole host of attacks that we can use.
[05:42.140 --> 05:48.960]  We also have magnetic sensors that are mounted within the frame, so drilling a hole in the frame and at the top of the door.
[05:48.960 --> 05:52.140]  To mount both the sensor and the magnet that goes with it.
[05:52.300 --> 05:59.200]  We can use optical-based sensors, so detecting light or dark where the door is supposed to be.
[05:59.200 --> 06:05.720]  Some hinges are capable of sensing what their position is and reporting that back.
[06:05.720 --> 06:11.420]  And as well we have some mechanical-based sensors, so this arm getting tripped when the door is in the correct position.
[06:12.200 --> 06:18.380]  In terms of the request-to-exit sensor, that is often done with a passive infrared sensor like these two here.
[06:18.380 --> 06:24.560]  Sometimes it's a button that the user pushes to cause that door to unlock and allow egress.
[06:24.600 --> 06:31.960]  It might also be the exit hardware itself, so pushing a push bar there that will mechanically unlatch,
[06:31.960 --> 06:37.980]  will also tell the controller that someone is trying to exit and this is not an alarm situation.
[06:37.980 --> 06:42.900]  And finally, in very high security environments, we might see another credential reader.
[06:42.900 --> 06:50.920]  So you actually have to swipe your credential to say that yes, I am an authorized user and I am exiting this facility normally.
[06:50.920 --> 06:56.080]  In an emergency situation, there of course do need to be overrides, but that could cause an alarm.
[06:56.740 --> 06:59.960]  So this is what these tend to look like in the field.
[06:59.960 --> 07:08.900]  You'll see your request-to-exit sensor mounted here, and then at the bottom we have our in-frame type magnetic contact sensor.
[07:08.900 --> 07:12.900]  On the door side, here is the magnet that goes along with it.
[07:14.580 --> 07:21.600]  So this is the general setup that we need, at a bare minimum, for an access control and alarm system.
[07:21.620 --> 07:29.360]  We can add a few peripherals, such as there might be a mechanical key switch that can be used to turn the door on and off,
[07:29.360 --> 07:33.920]  so to lock the door or unlock it, say for public building access hours.
[07:33.920 --> 07:45.580]  This might be used by a security guard. It allows someone with much less training and much less complexity of integration to the network controller to actually lock and unlock the system.
[07:45.920 --> 07:52.140]  We might also see accessibility features, such as buttons that will trigger an automatic door opener.
[07:52.140 --> 08:04.960]  Generally, the button on the outside, or the unsecure side of the door, will only open this door if a credential has been swiped validly, or if the door is supposed to be unlocked, such as during building public open hours.
[08:04.960 --> 08:16.680]  On the inside, that's generally not required, and the mere act of pressing this button will cause the mag strike to unlock, and the door to then automatically open.
[08:16.680 --> 08:29.240]  And finally, we also see it tied into the fire system in a lot of cases, because if we're using a mag lock, there is no mechanical override to cause that to unlock.
[08:29.240 --> 08:36.160]  If it's a mag lock, the access controller must unlock it for us. If it doesn't do that, that door will stay locked.
[08:36.160 --> 08:40.660]  That can be a fire hazard if someone needs to exit in an emergency situation.
[08:40.660 --> 08:48.980]  So the way that that is done is, by code, there must be a fire alarm pull near any mag locked door that is a fire exit.
[08:49.200 --> 08:56.400]  And if the fire alarm is triggered, that mag lock is then going to open and allow egress from the building.
[08:56.560 --> 09:00.780]  Because of that, there needs to be a tie-in from the fire alarm system.
[09:01.680 --> 09:09.080]  All of these aspects require power. So sometimes there's separate power required for credential readers.
[09:09.080 --> 09:19.720]  There always is for the access controller, and the fire controller, and large power draw components, such as a door opener here.
[09:19.720 --> 09:32.120]  We can disable the alarm, or breach the door entirely, causing it to open, by attacking any of the hardware, power, or comms lines in this relatively complicated system.
[09:32.120 --> 09:34.680]  So let's talk about how we can do that.
[09:34.760 --> 09:45.800]  Starting with the power. We can cut power to the access controller, and when that happens, by code, things like mag locks need to fail open.
[09:45.800 --> 09:51.580]  We can likewise cut power to the fire controller. That, of course, has life safety implications.
[09:51.740 --> 10:05.220]  But it will also cause the mag lock to open, because if the fire controller goes offline, then there's no way to effectively cause egress if that becomes necessary in an emergency.
[10:05.360 --> 10:11.000]  Incidentally, it is very, very difficult to kill power to this. It has all sorts of backups available.
[10:11.000 --> 10:22.300]  And then we can also kill power directly to the mag lock, and to other peripherals of the system that might be able to cause us entry, or disable the alarm.
[10:23.000 --> 10:29.360]  We can attack the door contact sensor, so if it doesn't sense that that door opens, it will not trigger an alarm.
[10:29.740 --> 10:32.240]  And we'll talk about a number of ways to do that.
[10:32.820 --> 10:40.480]  We can attack the request to exit sensor, so if it thinks someone's trying to exit, then even if it does detect the door opens, it will not trigger an alarm.
[10:40.480 --> 10:45.700]  We can attack the mag strike, so to cause the door to open up.
[10:46.300 --> 10:53.440]  We can attack the credential reader, to cause it to think that a valid credential has been swiped, or to clone a credential, etc.
[10:53.900 --> 10:58.560]  We can attack the inside, the secure side, accessibility button.
[10:58.560 --> 11:09.940]  So if that gets pressed, or the controller thinks it's been pressed, it's going to unlock the door, open the door, and disable any alarm that might come along with that otherwise.
[11:09.940 --> 11:14.960]  We can attack this key switch, make the controller think that the door is supposed to be open.
[11:15.340 --> 11:22.480]  We can attack the fire system, make it think that we are in an alarmed state, and so the mag locks need to open.
[11:22.640 --> 11:33.840]  We can attack the line out, so most simply by blocking any attempted communication of an alarm from getting out to an external control center.
[11:33.840 --> 11:41.140]  We can attack the line in, so by telling the controller that my credential is a valid one and you should let it in.
[11:41.140 --> 11:49.140]  Or by, say, telling the controller that the building public hours are 9-5, as well as 2-2.01am on Friday nights.
[11:49.140 --> 11:53.360]  And then we can come back at that specific time, and it will just let us in.
[11:53.360 --> 12:06.240]  We can attack the controller itself, so it is, of course, a fairly complicated piece of ICS equipment, and is vulnerable to all sorts of cyber attacks that are the subject of all the other DEFCON villages.
[12:07.540 --> 12:15.840]  We can also attack all of the comms lines, everywhere throughout this, and that's something that we'll talk about fairly extensively in the rest of this talk.
[12:15.840 --> 12:21.700]  And there's one more attack factor that we can take in this overall system.
[12:21.700 --> 12:25.040]  Take a stare at it and see if you can figure out what it is.
[12:25.080 --> 12:29.060]  The answer is... the door itself.
[12:29.060 --> 12:40.280]  If we can cause some way to mechanically get ourselves through this door, without interacting with all of this other equipment, then we've effectively disabled the alarm.
[12:40.420 --> 12:44.700]  So, one very brute force way is to saw a hole in the middle of the door.
[12:44.700 --> 12:46.600]  There are other options as well.
[12:46.600 --> 12:50.340]  So, many doors have these vent louvres in them.
[12:51.040 --> 12:56.080]  Frequently, we see these with the screws facing the outside, which is a terrible security decision.
[12:56.080 --> 12:59.460]  You can just unscrew that, and then slide on through.
[12:59.760 --> 13:03.280]  Doors with windows in them, as well, can be attacked.
[13:03.340 --> 13:06.440]  And so you can go through the window to achieve a similar effect.
[13:06.440 --> 13:09.500]  And this is something that is seen on occasion.
[13:09.700 --> 13:12.220]  So here's an example of a residential burglary.
[13:12.220 --> 13:16.340]  These burglars have seen the contact sensors on the doors.
[13:16.340 --> 13:19.460]  They know that they can't actually cause these doors to open.
[13:19.720 --> 13:22.080]  So what they're going to do instead is break the window.
[13:22.080 --> 13:28.500]  And rather than reaching through and depressing the handle, they're just going to climb through these wide open windows.
[13:28.540 --> 13:30.500]  And so we see them doing that now.
[13:30.560 --> 13:37.280]  Incidentally, those very wide open windows make this particular house more vulnerable to burglaries.
[13:37.280 --> 13:44.640]  Because they can see all of the valuables that are inside, where they are, what the alarm system is like, etc.
[13:44.640 --> 13:47.740]  It's a much less risky endeavor for them.
[13:48.060 --> 13:50.200]  And so the burglars are just reaming that out.
[13:50.200 --> 13:53.020]  And we'll see them crawl through in a minute.
[13:57.910 --> 14:02.990]  And just like that, they are in, bypassing the alarm system.
[14:04.950 --> 14:07.930]  So let's talk about the communications lines.
[14:07.930 --> 14:15.170]  Every aspect on the system has communications lines going into it or coming out saying, should I be enabled or not?
[14:15.170 --> 14:16.850]  And we can attack those.
[14:16.850 --> 14:25.010]  We'll focus on the magnetic contact sensor because it's the one that's sort of most readily attackable.
[14:25.010 --> 14:27.970]  But this applies to all the others as well.
[14:28.410 --> 14:34.090]  So in the case of the contact sensor, we have a normally closed situation.
[14:34.090 --> 14:37.270]  That's normally what we see for security alarms.
[14:37.270 --> 14:41.670]  And that is that in the secure state, the door is closed.
[14:41.670 --> 14:43.650]  That means that the circuit is closed as well.
[14:43.650 --> 14:45.530]  So it's a short circuit.
[14:45.530 --> 14:47.370]  We have power flowing.
[14:47.470 --> 14:50.970]  And if that gets interrupted, we know it's an alarm state.
[14:50.970 --> 14:53.930]  So if the switch opens up, that becomes an alarm.
[14:54.090 --> 14:57.770]  And what we can do is jumper the line from one to the other.
[14:57.770 --> 15:01.730]  And that way, if that switch opens up, it will not send an alarm.
[15:02.970 --> 15:06.670]  In the normally open state, we have the line is broken.
[15:06.670 --> 15:09.890]  So the switch is open and there's no power flowing.
[15:09.890 --> 15:11.630]  And that's the normal situation.
[15:11.730 --> 15:14.130]  When we open the door, the switch closes.
[15:14.150 --> 15:17.310]  And then the controller sees low impedance and sends an alarm.
[15:17.310 --> 15:19.250]  We can just then cut that line.
[15:19.250 --> 15:23.630]  And at that point, it simulates the switch being open and the door being closed.
[15:23.790 --> 15:27.050]  No matter what we do at the switch end.
[15:27.490 --> 15:29.670]  What can we do to defend against these?
[15:29.670 --> 15:35.230]  Most commonly, what we see is having end-of-line resistors.
[15:35.230 --> 15:41.970]  So the effect, as seen by the controller, is the door switches between two different resistances.
[15:41.970 --> 15:45.530]  The way we accomplish this in practice, rather than having a three-lead switch,
[15:45.530 --> 15:51.730]  usually is having a series resistor that runs on one of the lines in series with it,
[15:51.730 --> 15:56.330]  and a shunt resistor that crosses across those two lines.
[15:56.330 --> 16:00.970]  So we always have some power flowing through the shunt resistor, even when that switch is closed.
[16:01.090 --> 16:07.490]  And when the switch is open, it must flow through that series resistor as well.
[16:07.710 --> 16:11.650]  There are ways to defeat that, and we'll talk about those in a minute.
[16:11.650 --> 16:17.690]  But the absolute best that we can do is an encrypted digital line that has denial-of-service detection heartbeats.
[16:17.690 --> 16:21.210]  And we'll talk a little bit more about digital lines shortly.
[16:21.210 --> 16:27.190]  What we'll look at first is a game that we're actually releasing this year for DEFCON Safe Mode with Lock Bypass Village
[16:27.190 --> 16:34.830]  that will let you practice rewiring alarms to disable the actual alarm on the end of them.
[16:35.590 --> 16:40.950]  So this is mirroring a physical demonstration that we were planning to do at DEFCON in real life,
[16:40.950 --> 16:45.510]  but of course that can't happen. So this is the best that we can do as a surrogate.
[16:45.510 --> 16:49.890]  What we have here is a simulated door with its contact sensor
[16:49.890 --> 16:55.270]  and an alarm controller here. We'll talk about what a zone is in a minute,
[16:55.270 --> 16:59.830]  but it means for the sake of this demonstration, a single door.
[16:59.830 --> 17:07.230]  We have a supply current of 25 milliamps and zero volts that are coming across that system.
[17:07.230 --> 17:13.410]  That tells us that there is a short circuit here and an equivalent resistance of zero.
[17:13.410 --> 17:17.090]  So a short circuit, and that is an alarm status of OK.
[17:17.090 --> 17:23.130]  If we open this door, we now have an open circuit. So the circuit has been broken.
[17:23.350 --> 17:28.010]  The line voltage becomes indeterminate because there's no current going through,
[17:28.010 --> 17:33.230]  and this is an alarm state. So it's simply looking for short circuit or open circuit.
[17:33.290 --> 17:40.270]  In order to defeat this system, what we can do is cut the line and strip it,
[17:41.870 --> 17:48.110]  and then take a jumper cable and hardwire those two wires together.
[17:48.270 --> 17:53.950]  And so now we have an OK state. We see a short circuit on the controller end,
[17:53.950 --> 17:59.250]  and the door is totally disconnected. So we can open and close that door all we want,
[17:59.250 --> 18:02.750]  and the controller will have no idea.
[18:03.270 --> 18:06.830]  You'll notice that when I initially cut that line to strip those wires,
[18:06.830 --> 18:10.910]  that did trigger the alarm. We wouldn't generally want to do that in the field.
[18:10.910 --> 18:15.010]  The way to get around that is using this tap piece of hardware,
[18:15.010 --> 18:19.370]  so we would actually strip just the outer sheath and then tap the inner wires
[18:19.370 --> 18:22.890]  and bridge those taps together.
[18:23.230 --> 18:27.470]  So that's something that you can practice for yourselves using this game.
[18:28.350 --> 18:32.330]  In the next situation of a normally open switch,
[18:32.330 --> 18:35.730]  so we have an open circuit when the door is closed.
[18:35.730 --> 18:40.410]  When we open the door, that's then going to complete this circuit,
[18:40.410 --> 18:44.910]  and we now see zero ohms, so a short circuit situation.
[18:44.910 --> 18:49.390]  The way that we defeat this is very simple. Cut the line.
[18:49.490 --> 18:54.450]  And now we have an open circuit, no matter what happens, because the line is cut.
[18:55.090 --> 18:59.770]  The most secure situation is where we have these end-of-line resistors.
[18:59.770 --> 19:05.190]  So we have a series resistor here, and a shunt resistor connecting these two lines there.
[19:05.190 --> 19:11.970]  And that happens right at the end of the line, right before the sensor exists.
[19:12.210 --> 19:17.930]  And so what happens now is, if I have an equivalent resistance of 45 ohms,
[19:17.930 --> 19:21.570]  when the door is closed, it jumps up to 500 when the door is open,
[19:21.570 --> 19:25.130]  so we have our OK state and our alarm state.
[19:25.190 --> 19:29.430]  If I were to cut the line, it's going to detect an open circuit,
[19:29.430 --> 19:31.670]  which is different than those other two states,
[19:31.670 --> 19:34.950]  and that indicates tampering has happened on the line.
[19:34.950 --> 19:40.390]  Likewise, if I go through and actually bridge that connection,
[19:41.170 --> 19:46.070]  it's going to detect a short circuit, which it also normally would never see,
[19:46.070 --> 19:47.870]  because of these end-of-line resistors.
[19:47.870 --> 19:52.530]  So that also indicates tampering along that line, and that would send a different alarm,
[19:52.530 --> 19:56.310]  that hopefully would be responded to with greater severity.
[19:56.310 --> 20:03.290]  The way that we can defeat that is by adding our own resistances along the line,
[20:03.290 --> 20:06.750]  and so there's a number of ways that you can play around with doing that in these games,
[20:06.750 --> 20:10.710]  such as adding potentiometers that you can then control,
[20:10.710 --> 20:13.990]  as well as a whole slew of resistors.
[20:13.990 --> 20:20.290]  And you can play around with that to get a situation where you can both disable an alarm once,
[20:20.290 --> 20:24.170]  as well as go through the whole situation of disabling an alarm,
[20:24.170 --> 20:28.670]  where it never actually sent an alarm while you were tampering with those wires.
[20:28.670 --> 20:34.250]  So that's something that you can play with as well in the Lock Bypass Village this year.
[20:37.820 --> 20:42.980]  So let's talk a little bit about digital communications lines,
[20:42.980 --> 20:46.960]  and the various attacks and defenses that exist on those.
[20:47.260 --> 20:51.660]  So a digital communication line is going to be sending a 0 or a 1.
[20:51.660 --> 20:59.080]  So here's an example of 0101001101 being sent in the ideal case.
[20:59.120 --> 21:03.580]  Communications lines have some parasitic capacitance,
[21:03.580 --> 21:08.100]  so because those lines are two plates close together effectively, just very long,
[21:08.100 --> 21:13.600]  it acts like a capacitor, and that causes some capacitive effects here,
[21:13.600 --> 21:17.420]  so we see the line getting charged up and then charged back down.
[21:17.420 --> 21:24.080]  It also has some parasitic inductance, so that line is going to induce a magnetic field around it
[21:24.080 --> 21:31.160]  as the electric current in it changes, and so as a result we see this higher-order Fourier effect
[21:31.160 --> 21:38.360]  that happens on the line. And so the combination of those two is this pattern that we see down here,
[21:38.580 --> 21:41.620]  a slightly distorted digital signal.
[21:43.380 --> 21:47.620]  There's also noise. So there's noise in the environment, there's magnetic and electric noise,
[21:47.620 --> 21:50.320]  and that's going to inductively couple with the line.
[21:50.560 --> 21:56.540]  And there's noise in the sender and the receiver electronics as well, all of that contributes.
[21:56.700 --> 22:02.220]  And so we're going to take this slightly distorted signal from our nonlinear line,
[22:02.220 --> 22:09.540]  and we're going to add onto it this noise, and we get a further distorted electrical signal.
[22:09.540 --> 22:14.980]  This, as you can see, would still be relatively easy for the receiver to decode and determine
[22:14.980 --> 22:17.900]  what bits were being sent at what time.
[22:18.100 --> 22:22.240]  Noise, though, is a somewhat powerful phenomenon.
[22:22.260 --> 22:26.940]  As the amplitude of the noise relative to the amplitude of the signal increases,
[22:26.940 --> 22:32.660]  the noise starts to overtake the signal until the signal is no longer decipherable.
[22:32.660 --> 22:35.900]  And that's a situation where we have a breakdown of communications.
[22:35.900 --> 22:39.420]  That's something that is often the case just naturally,
[22:39.420 --> 22:45.620]  but it can also be used by an attacker to cause a denial of service.
[22:45.980 --> 22:53.280]  And mathematically, what we see is the 0 bit is going to form some normal distribution,
[22:53.280 --> 22:58.600]  normal because the noise usually is Gaussian, and the 1 as well is going to do that.
[22:58.600 --> 23:05.160]  As the noise increases, these distributions widen until determining which one is which
[23:05.160 --> 23:09.080]  becomes very difficult because this overlap becomes huge.
[23:09.780 --> 23:15.240]  So how can the red team attack a digital communication line knowing bad information?
[23:15.640 --> 23:20.000]  So, to attack confidentiality on the line, they can tap that wire.
[23:20.000 --> 23:26.860]  That can be with a physical tap, like the one that we looked at when we were attacking the analog alarm wire lines.
[23:26.860 --> 23:32.600]  It can also be with an inductive-based tap, so just listening for RF frequency
[23:32.600 --> 23:36.020]  generated by what that line is communicating on.
[23:36.020 --> 23:40.000]  To attack integrity, they can introduce packets on the line,
[23:40.000 --> 23:43.800]  so tapping into it and then sending data down.
[23:43.800 --> 23:48.180]  And to attack availability, this is the easiest. They can introduce noise.
[23:48.820 --> 23:53.180]  The defenses against this is you want to physically shield the line,
[23:53.180 --> 24:01.120]  and that's going to help both stop tapping as well as sending power down the line,
[24:01.120 --> 24:03.820]  sending rogue signals down the line.
[24:04.460 --> 24:12.120]  You can encrypt the digital signal, so that will then prevent both confidentiality and integrity attacks.
[24:12.360 --> 24:17.100]  And to protect availability, you want to send heartbeats,
[24:17.100 --> 24:22.580]  so that the line can at least detect if it's being denied service,
[24:22.580 --> 24:26.300]  and that will then let you respond appropriately.
[24:26.300 --> 24:31.100]  So a denial-of-service attack in a very secure environment is the same as an alarm.
[24:31.100 --> 24:36.560]  It needs to be responded to as if it were an alarm, because it could be an attacker doing this on purpose.
[24:38.080 --> 24:46.260]  In the wireless world, what we have is a slightly varied situation.
[24:46.400 --> 24:50.880]  So we can't put a DC current across empty space.
[24:50.920 --> 24:53.600]  That's because of the laws of physics.
[24:53.600 --> 24:56.480]  And the laws of the land further constrain what we can do.
[24:56.480 --> 25:01.660]  We must act within a certain frequency band, so we don't interfere with all the other frequency bands.
[25:02.380 --> 25:06.560]  And so there's a number of ways that we can use what's called a carrier frequency,
[25:06.560 --> 25:12.480]  to send a digital signal along through the air in the wireless world.
[25:12.860 --> 25:17.180]  There's frequency modulation, or frequency shift keying, that you're familiar with from radios,
[25:17.180 --> 25:21.180]  where we change the frequency depending on if it's a 0 or a 1.
[25:21.280 --> 25:25.680]  We can change the amplitude in an AM digital situation,
[25:25.680 --> 25:30.240]  or we can phase shift based on if it's a 0 or a 1.
[25:30.460 --> 25:32.840]  Those are the three main ones that we see.
[25:32.840 --> 25:35.660]  The red team attacks there is for confidentiality.
[25:35.660 --> 25:41.060]  We just sniff, because these are being broadcast for anyone to intercept,
[25:41.060 --> 25:47.840]  and we can then read what's being sent without any wiretapping required, and read that data.
[25:47.860 --> 25:54.600]  For integrity, we can transmit new, and we can transmit to overwrite the data that's being sent out.
[25:54.600 --> 25:58.220]  And for availability, of course, we can jam that signal.
[25:58.220 --> 26:01.900]  So again, for a wireless alarm, if jamming happens,
[26:01.900 --> 26:08.580]  that's something that we want to treat as an alarm situation in a high security environment.
[26:08.580 --> 26:14.160]  One interesting aside about FM versus AM is,
[26:14.160 --> 26:21.380]  FM is easier to jam and easier to hijack the signal by sending your own data,
[26:21.380 --> 26:26.720]  because whichever signal in a frequency modulated situation is stronger,
[26:26.720 --> 26:31.740]  by even a small amount, the receiver is going to pick up that signal and only that signal.
[26:31.740 --> 26:34.220]  With AM, it's going to pick up a mixture of the two.
[26:34.220 --> 26:36.920]  So you can actually try this with your radio.
[26:36.920 --> 26:43.480]  If you put it halfway between channels on the FM band, it's going to flip from one to the other.
[26:43.480 --> 26:49.580]  If you put it halfway between channels on the AM band, you're going to hear both channels blended in with one another.
[26:49.580 --> 26:57.740]  But in a security situation, with sending signals across the empty space,
[26:57.740 --> 27:04.360]  that means that FM is easier to jam and to take over with integrity-based attacks.
[27:04.360 --> 27:06.780]  The Blue Team Defense, of course, is encrypt as well.
[27:06.780 --> 27:10.380]  That is the only way to protect confidentiality.
[27:10.380 --> 27:13.120]  For integrity, encrypting works for that as well.
[27:13.120 --> 27:18.580]  We also have the added option of locating where this transmitter is
[27:18.580 --> 27:25.260]  that's trying to take over our communication and trilaterate their position and take them out by various means.
[27:25.260 --> 27:30.940]  We can, of course, also increase the signal strength to avoid their ability to drown us out.
[27:31.060 --> 27:32.900]  And for availability, it's very similar.
[27:32.900 --> 27:36.120]  We can locate and take out the jammer, we can increase our power,
[27:36.120 --> 27:42.580]  and we can also use heartbeats to detect if availability has been compromised.
[27:43.480 --> 27:50.260]  So that's sort of a very high-level overview of how we can attack digital communications lines.
[27:50.260 --> 27:56.660]  We'll take a step back to the physical systems that we see on these doors and what can we do about them.
[27:56.660 --> 28:01.780]  So, for these magnetic read switches,
[28:01.780 --> 28:06.820]  one very sort of brute-force-ish attack is we can literally unscrew the magnet
[28:06.820 --> 28:11.260]  and hold it in place relative to where it was beside the doorframe
[28:11.260 --> 28:14.520]  and then open the door with the magnet staying where it is.
[28:14.520 --> 28:19.600]  Of course, that's only possible with sensors that are mounted on the outside of the frame,
[28:19.600 --> 28:21.360]  on the unsecure side of the door,
[28:21.360 --> 28:30.780]  but it's a very low-tech attack that, if it's possible, is virtually undetectable by the controller.
[28:30.780 --> 28:35.580]  We can use a surrogate magnet to maintain the magnetic field while the door opens
[28:35.580 --> 28:38.080]  and the real magnet moves out of place.
[28:38.940 --> 28:45.300]  And so we actually have another game that we're releasing with Bypass Village that you can practice this on.
[28:45.300 --> 28:51.900]  So here is our door and we can swing it open and closed and we can see this magnet along the top
[28:51.900 --> 28:58.980]  and we can see the magnetic field that's measured by our sensor up here.
[28:58.980 --> 29:06.260]  And then we can move a little stick with a magnet on it in and out and around that sensor
[29:06.260 --> 29:15.200]  and we can try to use that to make the controller think that the door is closed when it's actually open.
[29:15.280 --> 29:18.680]  And so if we get it to the right place here, it now thinks that that's the case
[29:18.680 --> 29:25.980]  and as we close the door, we can now open and close it without actually triggering that alarm.
[29:25.980 --> 29:31.500]  So that's something that you can play around with yourselves in this game that we are releasing.
[29:33.240 --> 29:41.960]  In terms of the defenses available to the blue team, using an in-frame magnetic sensor helps a lot
[29:42.900 --> 29:48.820]  and putting it on the secure side also helps to avoid these attacks being mechanically possible
[29:48.820 --> 29:52.960]  and we can make them more difficult by using what's called a balanced magnetic switch.
[29:52.960 --> 29:58.060]  So it doesn't just look for the presence of a magnetic field above a certain intensity,
[29:58.060 --> 30:03.360]  it looks for the presence of a magnetic field above a certain intensity but below another one.
[30:03.360 --> 30:07.460]  So if the field is too strong, it's also going to set off that alarm
[30:07.460 --> 30:12.400]  and it makes it a whole lot harder to actually use this surrogate magnet attack
[30:12.400 --> 30:18.880]  and that's something that you can also practice how to defeat those systems with the game that we are releasing.
[30:19.520 --> 30:25.220]  In terms of the request-to-exit systems, if it's a passive infrared,
[30:25.220 --> 30:31.080]  you can send hot or opaque gas or aerosol or something through that door near to the sensor
[30:31.080 --> 30:34.340]  and cause it to think that someone's on the other side.
[30:34.340 --> 30:40.960]  So there's a fairly well-known attack with taking a can of compressed air, turning it upside down and squirting it
[30:40.960 --> 30:47.560]  and then that condensation that's created is enough to trigger many low-security PIR sensors.
[30:47.560 --> 30:54.020]  If it's a push-to-exit button or a handle, an egress handle, you can manipulate it from the other side.
[30:54.020 --> 30:58.540]  So for instance, if this is a request-to-exit sensor and we did an under-the-door tool attack,
[30:58.540 --> 31:03.420]  that would give us two for one, it would also defeat this request-to-exit sensor.
[31:05.280 --> 31:11.400]  And from the blue team's perspective, using a hybrid PIR and radar sensor is going to help immensely
[31:12.020 --> 31:15.540]  with avoiding people faking a human signature on the other side
[31:15.540 --> 31:20.120]  and using a token reader for egress is incredibly powerful.
[31:20.120 --> 31:25.960]  It effectively means that we cannot use request-to-exit sensor-based attacks.
[31:25.960 --> 31:31.900]  We may as well just attack the credential reader on the unsecure side itself.
[31:31.900 --> 31:38.100]  And so that does increase significantly the difficulty of attacking this particular system.
[31:38.100 --> 31:48.080]  So using a token reader on the exit side as well is sort of the electronic equivalent of a euro-style double-barreled deadbolt.
[31:48.080 --> 31:53.600]  Very good design for security purposes, of course at the cost of user convenience.
[31:53.840 --> 32:00.880]  In terms of PIR sensors, we can set them to have high security settings
[32:00.880 --> 32:10.280]  so that it will only trigger if a person is in the very specific right area and not this giant large range here.
[32:10.280 --> 32:16.300]  Long range is really meant for convenience and accessibility, so it'll open the door as someone's walking towards it.
[32:16.300 --> 32:19.080]  It's not meant for security at all.
[32:20.080 --> 32:28.140]  In terms of attacking these actuators, we can separate the electromagnet slightly.
[32:28.140 --> 32:33.420]  So if you ever catch the door open that's equipped with a mag lock,
[32:33.420 --> 32:40.700]  you can take a piece of gaffer tape or something fairly thin and put that onto the surface of it.
[32:40.700 --> 32:49.320]  And that's going to separate those components just enough that it will reduce the holding force from 2,000 pounds down to, say, 50.
[32:49.320 --> 32:53.380]  At which point the door feels secure, but it can be forced open.
[32:53.380 --> 32:56.900]  And that's something that you can then come back and do.
[32:57.160 --> 33:06.920]  And attacks like that, attacking the magnetic-based retaining system, are possible with some designs of mag strikes.
[33:08.300 --> 33:11.080]  We can attack the comms line and the power.
[33:11.080 --> 33:15.700]  So in the case of mag locks, they fail unlocked if there's power that's gone.
[33:15.700 --> 33:22.440]  And we can, of course, attack the comms line to any of these to make the hardware think that the controller is telling it to open up.
[33:22.440 --> 33:25.380]  And we can use physical bypasses as well.
[33:25.380 --> 33:27.740]  So mag strikes are often poorly sized.
[33:27.740 --> 33:32.560]  The dead latch is going to fall into that hole, and we can Lloyd that latch.
[33:32.560 --> 33:37.100]  If you don't know what that means, check out our Bypass 101 talk.
[33:37.480 --> 33:45.840]  And the blue team, what they can do to help against these attacks is, of course, shield their communications lines and use hardware that fails in a locked state.
[33:46.220 --> 33:51.440]  That might not be allowed due to fire code, but wherever possible, you should try to do that.
[33:51.900 --> 33:58.000]  So here's an example of where we can read that actually there is a mag lock on the other side of the door.
[33:58.000 --> 34:01.840]  That's what these two bolts are telling us, as well as this conduit coming through here.
[34:01.840 --> 34:10.580]  What's interesting, though, is this conduit is, of course, the power that's going to that mag lock that is telling it to stay locked.
[34:10.640 --> 34:14.640]  In this case, turning power on and off is the communications line.
[34:14.640 --> 34:23.240]  And so we can just unscrew any of these junction boxes here and break that wire, cut that connection somehow.
[34:23.240 --> 34:28.320]  And this mag lock is going to then fail in an unlocked state, and we can open this door.
[34:28.320 --> 34:30.040]  Fairly simple attack there.
[34:30.040 --> 34:37.400]  In the case of this type of hardware, where we have a key switch, we can, of course, pick the lock or do other attacks like that.
[34:37.400 --> 34:43.120]  We can unscrew the enclosure casing and then jumper out those lines and make it think that the key has been turned.
[34:43.200 --> 34:49.140]  And, of course, we can perform an attack like that anywhere along the comms line where it's accessible to us.
[34:49.220 --> 34:55.440]  What the blue team can do to defend against this is put the key switch on the secure side of the door.
[34:55.440 --> 34:58.240]  I really don't know why this isn't seen more often.
[34:59.200 --> 35:03.500]  Possibly it's so that the guards can do it when they come on to shift to open up for the first time,
[35:03.500 --> 35:10.200]  but they really should be given a key or some other better credential to get in if that's the case.
[35:10.340 --> 35:17.400]  And that will avoid this threat entirely, because if you're on the secure side, then you're already in.
[35:17.920 --> 35:22.100]  You can use a lock of equal or higher security as the facility's front door.
[35:22.100 --> 35:31.300]  So too often we see crappy weaver locks on these key switches where the front door might be a high security medico,
[35:31.300 --> 35:34.140]  and installing a tamper switch within this box.
[35:34.140 --> 35:40.380]  So if the controller sees that this box has been opened, it will not honor that if the key switch is turned,
[35:40.380 --> 35:44.020]  no matter what happens, as a bit of a defense with that.
[35:44.020 --> 35:49.440]  Of course, that can be bypassed as well. There's loads of ways to bypass tamper switches.
[35:50.180 --> 35:55.680]  Let's talk a little bit about the communications protocols that are used by the credential readers.
[35:55.680 --> 36:01.240]  So we have the VIGINT protocol is sort of the original, most well-known one,
[36:01.240 --> 36:12.340]  and it is based off of magnetically charged wires in the card that are going to be placed in either a 0 or a 1 position.
[36:12.340 --> 36:19.880]  And as we swipe that card, it's going to then have sensors that detect that and give us the data from there.
[36:19.880 --> 36:25.800]  We can have magnetically encoded information on a mag stripe, which is similar.
[36:25.800 --> 36:29.600]  And then we can have RFID technologies as well.
[36:30.900 --> 36:40.980]  Down the line, though, for backwards compatibility, almost every reader and almost every controller still supports the VIGINT protocol.
[36:40.980 --> 36:44.980]  And that's just to make sure that we can mix and match any reader with any controller,
[36:44.980 --> 36:49.700]  and there's something they can fall back on that will work.
[36:50.220 --> 36:58.780]  And so that VIGINT protocol looks like, if this is the data that we're sending, so the 0101, 001101 that we saw before,
[36:58.780 --> 37:03.840]  we have our data 0 line and our data 1 line, and they're normally a 1,
[37:03.840 --> 37:11.480]  and we pull either the 0 or the 1 down to a 0 when we want to send a 0 or a 1, respectively.
[37:11.560 --> 37:17.160]  So here we send a 0, then a 1, 0, 1, 0, 0, etc.
[37:18.740 --> 37:29.420]  Because we have that VIGINT protocol in use for backwards compatibility, if we can access those lines,
[37:29.420 --> 37:40.840]  we can then read the VIGINT-encoded data that's being sent, as well as replay or send our own reconstructed packet in that same format.
[37:41.000 --> 37:47.840]  And that's what the BLE key does, which was released at Black Hat 15 by two very smart individuals.
[37:47.860 --> 37:51.400]  They designed a piece of hardware that would clip onto the alarm wires.
[37:51.400 --> 37:56.440]  So we see here the green and the white VIGINT wires, as well as our black ground.
[37:56.440 --> 38:03.740]  It clips onto that, and it listens to every credential that gets swiped, and it can communicate with your phone via Bluetooth.
[38:03.740 --> 38:12.540]  And that phone can then get the raw credential data, as well as replay any valid credentials, and cause that door to open on demand.
[38:12.540 --> 38:16.640]  So that's one particular attack against that communication line.
[38:16.640 --> 38:30.000]  A good remediation for this is OSDP. It's one of the... well, it's really the only encrypted communication protocol that we see in somewhat widespread use.
[38:30.000 --> 38:36.240]  It's still not very widespread, and there are some proprietary systems that will use other encrypted forms as well.
[38:36.240 --> 38:43.880]  And hook up your damn tamper wires. So when you remove that credential reader from the wall to get access to the wires behind it,
[38:43.880 --> 38:50.640]  almost all of them, the good ones at least, are equipped with a tamper switch that will send the controller a signal saying,
[38:50.640 --> 38:58.800]  hey, this reader has been removed from the wall. If that happens, the controller should respond appropriately, set up the appropriate alarms, etc.
[38:58.860 --> 39:02.120]  All too often, we see that not even hooked up.
[39:03.120 --> 39:06.660]  So here's a quick example we can take a look at.
[39:06.660 --> 39:16.800]  We have our reader here, and we can assume that there's some sort of actuator on the other side, very likely a mag lock.
[39:16.800 --> 39:27.080]  As well as we have an accessibility door here with a visible magnetic strike system, and that will be opened by some other situation.
[39:27.260 --> 39:31.000]  So there's a couple items that we can notice in the wild.
[39:31.000 --> 39:37.440]  One thing to note about all of this hardware we've been talking about is it is blazingly expensive.
[39:37.600 --> 39:46.600]  Here is some of the standard retail costs for what a new construction building might pay for these pieces of hardware.
[39:46.600 --> 39:56.260]  So things like not hooking up your tamper wires, putting poor quality locks on the unsecure side that can disable the system,
[39:56.260 --> 40:00.900]  not shielding your communication lines and letting those be accessible from the public, etc.
[40:01.000 --> 40:06.900]  All of those are really simple fixes and very cheap in comparison to the cost of this hardware,
[40:06.900 --> 40:15.280]  and something that really should be looked at if you have a facility that cares about security enough to pay this kind of money for these systems.
[40:15.280 --> 40:21.900]  But anytime you see a door that's equipped with this equipment, these are the kinds of costs that are involved in actually setting that up.
[40:22.720 --> 40:31.880]  So we've talked a lot about access controllers determining or giving the go or no-go decision on a door based on a credential swipe
[40:31.880 --> 40:35.980]  and sending an alarm if there is an unauthorized access.
[40:36.860 --> 40:41.640]  We can also talk about alarm systems, and they are more state-based.
[40:42.200 --> 40:48.980]  So on a very high level we have three states, an armed state, disarmed, and an alarmed state.
[40:48.980 --> 40:52.940]  And we can enter the arming and disarming sequence to move between these top two.
[40:52.940 --> 40:59.420]  If a sensor is tripped when it's armed, it's going to alarm, and then the reset sequence will move us back to disarmed.
[40:59.460 --> 41:05.960]  In order to attack these systems, our starting state is armed, we're assuming that, since it needs to be attacked.
[41:05.960 --> 41:14.520]  And the two routes that we can take is we can cause the disarming sequence to be entered or cause the controller to think it has been,
[41:14.520 --> 41:22.340]  and move it to a disarmed state, or we can prevent these sensors from being tripped and prevent it from going into an alarmed state.
[41:22.920 --> 41:32.240]  So, to give one example of the first type of attack, this is a typical timeline that happens in older, less well-designed systems.
[41:32.240 --> 41:36.700]  We have our controller here. The sensor gets tripped as time moves along.
[41:36.700 --> 41:42.120]  In a normal situation, a normal entry, the disarmed code is entered, the panel enters a disarmed state,
[41:42.120 --> 41:48.860]  and then the timeout happens, but because the code has been entered in time, nothing happens at that point. The police are never contacted.
[41:49.500 --> 41:56.640]  If, however, a valid code is not entered in time, then when the timeout happens, the panel will then contact the police,
[41:56.640 --> 42:00.580]  and they will be dispatched to see what's happening with this alarm.
[42:01.220 --> 42:08.140]  This allows for what's called a crash and smash attack, which is that, if at any point, between the sensor being tripped and the timeout,
[42:08.140 --> 42:12.780]  the panel is rendered inoperable, the communications lines are rendered inoperable, etc.,
[42:12.780 --> 42:22.700]  it will then prevent it from sending that call for help out when the timeout happens, because the panel no longer operates.
[42:22.900 --> 42:29.260]  This, of course, assumes that your keypad panel is the same as the controller, which in many systems it's not,
[42:29.260 --> 42:35.980]  but many good burglars know which ones are, and which ones are vulnerable to this.
[42:35.980 --> 42:38.960]  And so that's something that you do see on occasion.
[42:39.340 --> 42:44.400]  A better way to handle this is to have an intermediary server that's off-site.
[42:44.400 --> 42:47.860]  As soon as that sensor is tripped, the server is notified.
[42:47.900 --> 42:51.880]  When the disarm code is entered, that server is notified as well.
[42:52.020 --> 42:58.280]  If the disarm code is not entered, then when timeout occurs, the server then will dispatch the police
[42:58.280 --> 43:03.120]  without requiring any more communication from the local facility.
[43:03.120 --> 43:09.980]  That way, if there's a crash and smash attack, and that panel is rendered inoperable, an alarm will still go out.
[43:10.480 --> 43:18.380]  So that's the disarming sequence, or at least sort of a pseudo-situation to move us to a disarmed state.
[43:18.380 --> 43:22.200]  We can also prevent the sensor from being tripped.
[43:22.200 --> 43:26.580]  And there's a load of ways to do that, depending on what type of sensor exists.
[43:26.680 --> 43:28.720]  So we have a number of different types.
[43:28.720 --> 43:35.240]  We have cameras that are usually human-operated, but increasingly we have computer vision systems
[43:35.240 --> 43:37.760]  that are going to look for motion where there shouldn't be.
[43:37.760 --> 43:42.930]  We have these door-open sensors, as well as glass-break sensors are common,
[43:43.280 --> 43:46.000]  so to prevent that through-the-window attack.
[43:46.380 --> 43:50.220]  We have passive infrared sensors that we looked at for requests to exit.
[43:50.300 --> 43:54.040]  Those ones we did want to trip, to make the door think someone was exiting.
[43:54.040 --> 44:00.200]  These ones, as a red team, we don't want to trip, because that will tell the alarm system someone's here and there shouldn't be.
[44:00.360 --> 44:05.140]  So they detect the presence of a human body infrared spectrum.
[44:05.200 --> 44:11.080]  And then we have various underground seismic-based systems to detect someone walking on ground,
[44:11.080 --> 44:14.820]  as well as fence-climb sensors that we see on the outside.
[44:14.880 --> 44:20.920]  Both of these, by the way, are incredibly prone to false positives.
[44:20.920 --> 44:25.720]  So they are only usually seen in very high-security applications.
[44:26.020 --> 44:32.760]  In terms of how the controller combines all of these, we have what's known as alarm zones.
[44:32.760 --> 44:41.400]  So zones are the individual circuits that one or more of these sensors is put on.
[44:41.400 --> 44:48.860]  So in this case, we have a normally-closed zone that has two magnetic-read sensors on it,
[44:49.020 --> 44:52.440]  a second normally-closed zone that has only one on it,
[44:52.440 --> 44:55.380]  and for normally-closed, we need to wire them in series,
[44:55.380 --> 44:59.260]  and then a normally-open zone that has two wired in parallel.
[44:59.620 --> 45:07.780]  For security systems, you usually have them wired in series, if not only a single one on a zone, which is generally better.
[45:07.780 --> 45:15.120]  And then for fire systems, you're going to wire in parallel and have normally-open systems there.
[45:15.120 --> 45:22.440]  So that is how all of these devices get handled by the controller.
[45:22.440 --> 45:27.060]  And what that means is if multiple different sensors are on the same zone,
[45:27.060 --> 45:31.340]  the controller cannot tell which one was tripped, just that one of them was.
[45:31.340 --> 45:34.560]  And so the idea is they generally tend to be aligned in space,
[45:34.560 --> 45:40.860]  so the controller can identify where physically in the facility this alarm is coming from.
[45:41.570 --> 45:45.900]  So there's a number of specific defeats for each of these.
[45:45.960 --> 45:55.320]  One that we'll talk about for passive infrared sensors is to block the infrared signature from your body actually reaching the sensor.
[45:55.320 --> 46:06.660]  So you can use these space blankets that will then reflect the ambient thermal signature back onto the sensor and cause it to not see you.
[46:06.660 --> 46:10.000]  You have to be very careful with those, because if you touch it with your hand,
[46:10.000 --> 46:16.220]  then your hand is now going to... it won't radiate, but it will conduct through because you're touching it,
[46:16.220 --> 46:18.940]  and that's going to defeat your efforts there.
[46:19.160 --> 46:24.940]  We've actually found anecdotally that for many of the commercial PIR sensors out there,
[46:24.940 --> 46:30.920]  yoga mats work incredibly well, a lot better than these do, to block your IR signature.
[46:30.920 --> 46:37.500]  You can move very slowly, because these things have to get a sense of what the environment is,
[46:37.500 --> 46:41.840]  and so if you move slowly, it might think that you are just part of the ambient environment.
[46:42.000 --> 46:47.800]  You can move out of its focus range, so many of these in facilities that might have animals walking around,
[46:47.800 --> 46:55.900]  which is usually a residential setting, will be set to only focus on above two or three feet on the ground.
[46:55.900 --> 47:05.300]  That's the default setting in many cases, and in some cases that is just a physical limitation of the device that's being shipped out.
[47:05.580 --> 47:14.220]  If that happens, you can then effectively get down to that level, away from the focus range, and avoid these entirely.
[47:14.220 --> 47:21.940]  And as well, passive infrared sensors are much more sensitive to motion across them.
[47:21.940 --> 47:25.640]  Moving towards and away from them, they're less sensitive towards.
[47:25.640 --> 47:30.560]  So if you can make your motion in that direction, it will help you avoid being detected.
[47:31.080 --> 47:36.620]  So here is another example that we see that is no longer available.
[47:39.920 --> 47:48.660]  So taking a look at one particular hypothetical layout of passive infrared sensors, this is a bad layout.
[47:48.660 --> 47:51.560]  Take a stare at it and see if you can figure out why.
[47:51.900 --> 48:02.300]  The reasons are, number one, way at the edge of the range is a large part of the room that is accessible by one of the doors.
[48:02.360 --> 48:14.880]  And so we can now get around and access large parts of this room through that, as well as this particular door here gives us access to the back of two of the sensors.
[48:14.880 --> 48:24.920]  And so by doing that, we can then place an IR shield in front of it from behind, and effectively blind them to almost all of the room.
[48:24.920 --> 48:37.640]  And finally, the way that these are laid out, it allows motion in a towards and away from direction to help avoid it detecting on its more sensitive perpendicular axes.
[48:38.700 --> 48:46.120]  The last thing I'll actually mention about this particular layout is someone who is entering this room and seeing that this layout is the case,
[48:46.120 --> 48:50.780]  will wonder, well, why are they clustered along this particular wall?
[48:50.780 --> 48:56.680]  One potential reason might be this shaft here, that X indicates a shaft in the wall.
[48:56.680 --> 49:00.640]  That's likely a pipe riser shaft through which comms lines run as well.
[49:00.640 --> 49:04.700]  So if someone can infer from that that the comms lines for these are running through this shaft,
[49:04.700 --> 49:11.280]  they can enter that instead where there are no sensors and cut them off along the comms lines instead.
[49:11.340 --> 49:17.860]  A better layout surrounds the room and makes sure that all doors are firmly in the coverage range.
[49:17.860 --> 49:26.280]  And there's no way to get in any of these doors without moving entirely perpendicular to these sensors in their sensitivity direction.
[49:26.640 --> 49:31.660]  As well, there's no way to get behind any of the sensors, let alone all of them.
[49:31.660 --> 49:39.080]  And there's no way to get anywhere appreciable within this room without setting off at least one of our motion sensors.
[49:39.200 --> 49:40.940]  So this is a much better layout.
[49:41.840 --> 49:48.180]  The last thing that we can look at, and this is getting a little bit more into social engineering, so we'll only touch on it briefly,
[49:48.180 --> 49:52.200]  is attacking the response that happens when an alarm gets sent out.
[49:52.440 --> 49:57.860]  So when the responding forces are distracted, they might be sleeping, they may be on other calls, etc.
[49:57.860 --> 50:03.040]  It might just be a human factors problem in the control room, which we see very, very frequently.
[50:03.700 --> 50:06.520]  They will not respond effectively to an alarm.
[50:06.520 --> 50:14.100]  And so that can be induced as well, or you can choose to attack in the times that you know they're most likely to be in a state like that.
[50:14.340 --> 50:21.100]  Response fatigue is the term that we use to describe when an alarm has too many false alarms
[50:21.100 --> 50:29.420]  and security decides they're going to stop responding to it. It's probably just a raccoon climbing the fence or bumping up against the fence or whatever.
[50:29.480 --> 50:31.660]  Kind of like the boy who cried wolf.
[50:31.660 --> 50:39.160]  So by setting off one alarm many, many times, making security think it's a false alarm, you can cause them to stop responding to that.
[50:39.480 --> 50:41.960]  They might have higher priority calls that come along.
[50:42.020 --> 50:46.360]  So you can set off more critical alarms than where you actually want to go.
[50:46.360 --> 50:54.880]  Security is going to go to that higher priority location and you now have a lack of response for where you are setting off whatever alarms you want to.
[50:54.960 --> 50:57.280]  They're often just plain old slow.
[50:57.280 --> 51:03.900]  So if there's not on-site security, if it's either an off-site security service or police that are called,
[51:03.900 --> 51:13.000]  they can take upwards of 30 minutes, maybe more, to get to the site and actually do a sweep and see if anything is amiss there.
[51:13.020 --> 51:15.060]  That is way too long.
[51:15.060 --> 51:20.000]  The vast majority of criminals are in and out well within that period of time.
[51:20.080 --> 51:26.220]  So just being fast enough that you outrun the response is usually sufficient as well.
[51:26.220 --> 51:32.880]  In terms of dealing with the response in an ethical hacking situation, so most commonly we see this with physical pen testing,
[51:32.880 --> 51:35.780]  there are a number of considerations to keep in mind.
[51:35.960 --> 51:42.620]  We don't want to diminish the ability of the facility to respond to a real threat that could do real damage.
[51:42.620 --> 51:52.420]  So that could happen both if we disable alarms, but also if we cause security to, say, have response fatigue on a particular alarm.
[51:52.420 --> 51:56.120]  Or if we cause them to be one place where there's a real incident and another.
[51:56.120 --> 51:57.860]  So that's something to consider.
[51:57.940 --> 52:10.080]  And we also don't want them to, especially if it's the police, to have responding to us as ethical hackers at the expense of other potential calls.
[52:10.080 --> 52:15.340]  So fairly famously now within this community is the Iowa courthouse pen test case,
[52:15.340 --> 52:23.860]  where two individuals were hired to penetration test a courthouse and they ended up getting arrested and charged as a result of it.
[52:23.860 --> 52:27.740]  A lot of people made a lot of mistakes in that particular case.
[52:27.740 --> 52:47.520]  But one mistake that, in my humble opinion, the red team made is it was irresponsible of them to have those police officers called to the site without prior notice to the force at the possible expense of other higher priority calls.
[52:47.520 --> 52:57.000]  Someone could possibly have died as a result of that if there had been a higher priority life or death call that was averted as a result of responding to this.
[52:57.000 --> 53:05.960]  So that is a number of considerations for attacking the response and for dealing with any of these alarm situations.
[53:06.060 --> 53:16.980]  We want to make sure that we do it responsibly and in a way that does no harm or does no unreasonable harm as determined by the client and external stakeholders.
[53:17.680 --> 53:21.480]  So I encourage you to try it out.
[53:21.480 --> 53:28.580]  We've released a couple of little games that let you practice these aspects that we've talked about throughout this talk.
[53:28.580 --> 53:32.700]  It has been a lot, so feel free to ask me questions.
[53:32.700 --> 53:41.680]  Feel free to give suggestions for something that you'd like to see at a future Bypass Village that you can practice hands-on, hopefully in person at DEF CON 29.
[53:41.680 --> 53:47.460]  But for now, you can practice rewiring alarms and using magnets to disable grid switches.
[53:47.580 --> 53:51.180]  And with that, I would be happy to take any questions that you might have.
